Package: src:php5 Version: 5.4.45-0+deb7u2 Severity: important User: debian-bsd@lists.debian.org Usertags: kfreebsd X-Debbugs-Cc: debian-bsd@lists.debian.org (Followup to https://lists.debian.org/debian-bsd/2016/01/msg00021.html) This turns out to be some bug or odd behaviour of PHP when handling file uploads on kfreebsd. Here's a simple testcase: <?php if ($_SERVER['REQUEST_METHOD'] === 'POST') { print_r($_FILES); var_dump(move_uploaded_file($_FILES['foo']['tmp_name'], '.foo')); die(); } ?> <html> <body><form id="for-you" method="post" enctype="multipart/form-data"> <input name="foo" type="file" /> <input type="submit" /> </form></body> </html> Submitting the web form, PHP writes the uploaded file to /tmp initially, having a random filename, and moves it to ".foo" in the web document root at request of the PHP script. The PHP script is *supposed* to run non-privileged for obvious reasons. suexec.log suggests I set that up right: uid: (1046/foo) gid: (1045/foo) cmd: php-fcgi-starter And executing <?php passthru('id'); ?> confirms that is generally the case: uid=1046(foo) gid=1045(foo) groups=1045(foo) But `stat .foo` shows the uploaded file having gid=0 instead, something not possible to do if you have dropped privileges: File: `.foo' Size: 5 Blocks: 9 IO Block: 4096 regular file Device: 735ae718h/1935337240d Inode: 238962 Links: 1 Access: (0644/-rw-r--r--) Uid: ( 1046/foo) Gid: ( 0/root) Access: 2016-01-15 22:00:02.555410397 +0000 ^^^^^^ Modify: 2016-01-15 22:00:02.555410397 +0000 wrong gid! Change: 2016-01-15 22:00:02.555410397 +0000 Birth: - I couldn't repeat this on a GNU/Linux machine. Is PHP maybe not dropping privileges properly on GNU/kFreeBSD? (setgid,setegid issue?) Havne't yet checked it affects regular FreeBSD also. There seems nothing special about my /tmp: mode 1777/drwxrwxrwt. That end the web document root are on ZFS. Thanks. Regards, -- Steven Chamberlain steven@pyro.eu.org
Attachment:
signature.asc
Description: Digital signature